XSS + Cloudflare bypass!


Hi Guys,

In this article, I will share how did I found reflected XSS on my target( redacted.com )

The program was an Rdp and they does not allow disclosure.As the target does not provide payments or gifts in exchange, now its time for hall of fame!!!.

Most commonly i use subfinder tool + httpx to enumerate subdomains.I got a subdomain “sub.redacted.com” , visited and found a search bar. So i tried my payload : <script>alert(1)</script> to see the response.

hell!!! cloudflare blocked me!

cloudflare blocked

Almost every tags are got blocked by cloudflare except <svg>. So i quick search on google to find any svg attack vector to bypass and finally found a tweet:

payload: <svg onload=alert%26%230000000040"1')>

bypassed!!!… sub.redacted.com alerted “1”

cloudflare bypassed!

This is how,I bypassed Cloudflare WAF and found reflected XSS!!

Happy Hacking:)



Aswin Thambi Panikulangara

Bughunter, web pentester, Network pentester